Splunk Search

sort table values by table values

sarit_s
Communicator

Hello

I have a table with 3 columns

1 is strings

and 2 columns with numbers

is there a way to sort the table from the highest number to lowest from all the values in the table ?

for example:

sarit_s_0-1630568310308.png

this is part of my table and i want to sort the numbers in "priority" and "silverpop" regardless if its one of them, just to see the raw with the highest value first

Labels (2)
Tags (1)
0 Karma
1 Solution

PickleRick
Ultra Champion

If I understand you correctly, you have more than one collumn and you want to sort by higher of values of those columns, right? So if you have, for example

a11
b122
c46
d68
e725
f374
g511
h23

You would like to have, as an output

f374
e725
b122
g511
d68
c46
h23
a11

If so, then it's probably easiest to add a syntetic column which will be used for sorting and remove it after sorting

< your search > | eval sortcol=max(col1,col2) | sort sortcol | fields - sortcol

View solution in original post

0 Karma

PickleRick
Ultra Champion

If I understand you correctly, you have more than one collumn and you want to sort by higher of values of those columns, right? So if you have, for example

a11
b122
c46
d68
e725
f374
g511
h23

You would like to have, as an output

f374
e725
b122
g511
d68
c46
h23
a11

If so, then it's probably easiest to add a syntetic column which will be used for sorting and remove it after sorting

< your search > | eval sortcol=max(col1,col2) | sort sortcol | fields - sortcol
0 Karma

sarit_s
Communicator

Hey,

thanks

but it is sorting only the first column

 

this is my query:

sourcetype="kube:container:notificationsservice-workerservice" Message="Filtered channel context" ("ContextData.ChannelName"=SalesforceEmail OR "ContextData.ChannelName"=SalesforcePriorityEmail)
| stats count AS Priority BY "AdditionalData.Meta.NotificationType"
| rename "AdditionalData.Meta.NotificationType" As Column
| append [ search 
     sourcetype="Silverpop-Transactional-*" Message="Message was successfully sent to *"
     | stats count AS Silverpop BY "AdditionalData.additionalData.AdditionalParameters.MailingID"
     | rename "AdditionalData.additionalData.AdditionalParameters.MailingID" AS Column
     ] | eval sortcol=max(Priority,SilverPop) | sort - sortcol | fields - sortcol

 

0 Karma

PickleRick
Ultra Champion

Well, |sort sorts all rows by the specified columns so I don't understand what do you mean by "sorts only first column".

0 Karma

sarit_s
Communicator

the result of this query sorts only the Priority column, it is ignoring the Silverpop one

0 Karma

sarit_s
Communicator

sorry, its my bad, i had a typo

 

thanks, its working

0 Karma

PickleRick
Ultra Champion

No. It seems you have empty results in those columns. That way max(a,b) doesn't make sense if both values are not numbers. So it will not calculate an output value.

You might want to fillnull with a low value before doing the eval=max[...].

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...